Re: IE URL obfuscation

From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 12/11/03

  • Next message: Gary Shuster: "IE URL obfuscation bug, part 2 -- failure to send server the full obfuscated URL" 
    Date:         Thu, 11 Dec 2003 13:29:03 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Some additional results... 

    ----
From: "Womack, Michael"
Date: Thu, 11 Dec 2003 13:22:14 -0500
A side note raised by the Jakob's (Secunia) demo...
While Mozilla (1.5) does not exhibit the same truncation in the address bar, the status bar text displayed while hovering over the link on the Secunia test page *is* truncated at the %00.  The status text is convincing enough to encourage a click.
----
Date: Thu, 11 Dec 2003 09:45:41 -0800
From: lance_kujala
For what its worth...
I tried the test out with Mozilla 1.2.1 (from Redhat9); the %01 shows up in the link as an icon, the address bar shows the FULL url, the status bar (with the mouse over the link) only shows the first part of link (everything before the @).
At this point I would assume this affects ALL browsers on ALL operating systems, until proven otherwise.
----
Date:  Thu, 11 Dec 2003 17:39:20 -0000
From: "Mark Crouch"
First post, please be gentle!
I've developed a habit of checking URL's on web pages before I click on them - hovering over some just gives a long string of (mostly) meaningless numbers used as part of a redirect.  Right-clicking the URL and selecting "Properties" shows the complete URL which you can highlight, copy and then paste into e.g. Notepad or IE's Address bar, for further analysis
Doing the same thing on Secunia's exploit test page yields interesting results; the properties of the "rogue URL" shows www.microsoft.com with a small black square next to it and the file type is also a "COM| file" (the '|' denotes the square!).  However, if you use the context menu's "Copy Shortcut" option and paste the results into Notepad or the IE Address Bar, you get the full, unadulterated rogue URL - it's a bit of a manual task but the end justifies the means!
----
Date: Thu, 11 Dec 2003 15:32:14 -0200
From: Andreas Saurwein
Seems that Mozilla's FireBird (0.6x and 0.7x) is partially vulnerable too. The link in the test shows up in the status bar as http://www.microsoft.com with a non-regular character attached. The address bar shows it correctly with the encoded %01%00.
Cheers,
Russ - NTBugtraq Editor
----
NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
12/31/03 and cannot be used in combination with other offers.
----
  • Next message: Gary Shuster: "IE URL obfuscation bug, part 2 -- failure to send server the full obfuscated URL"